Theia: Require password to access Theia in browser?
Description
Forgive me if I'm being dense or missing something obvious. I'm a bit of a noob.
I have Theia working correctly on my remote VPS, and once I start the process, I can access the Theia IDE by going to MY.VPS.IP.NUM:8181
But there's not login or anything required, and it's not an https connection. Does that mean that anyone who knows to visit MY.VPS.IP.NUM:8181 would have access to my file system?! If so that's a security deal-breaker.
How would you recommend I lock down access to Theia so only authorized users have access to the IDE?
Reproduction Steps
Launch Theia with a command like:
yarn theia start/my-workspace --hostname theia.MYDOMAIN.com --port 8181
OS and Theia version:
CentOS 7, yarn x1.22.0, theia 0.16.0
neocamel
All 11 comments
Taking you for taking an interest in the framework @neocamel :)
While I'm no expert on this matter, I can offer you some guidance.
Theia in fact does also support https (https://github.com/eclipse-theia/theia/pull/960).
The framework does not provide any authentication methods by default, and something
like a login system would need to implemented by the application which uses Theia.
You can take a look at the following past discussions:
Perhaps others can chime in if they have other information.
vince-fugnitto
on 7 Feb 2020
Thanks for the info and the links. After reviewing the links you provided, it looks like using Nginx to set up a reverse proxy is probably the best solution. That said, I'm new to nginx and I'm not very strong with the work of dns and domains either. To think out loud, would the process be something like:
Nginx (once installed and configured) will watch for incoming connections to the server on a specific port (the port I want to use Theia on). When an incoming connection is detected, Nginx routes that connection to a SSL-protected address? If so, I'm still not seeing where in this process does a user authenticate themselves to be allowed to visit the address they are requesting?
I'm reading up on it now, and I've got Engintron installed on my WHM, to make installing/configuring Nginx easier, but I'm still a bit lost and would appreciate any guidance you have on setting up this configuration. Thanks!
neocamel
on 8 Feb 2020
That said, I'm new to nginx and I'm not very strong with the work of dns and domains either.
Unfortunately I don't think I can be of any more help @neocamel I don't have much knowledge regarding nginx :( Perhaps others will have more information, it might also be worthwhile to ask in the issues I previously linked.
vince-fugnitto
on 10 Feb 2020
Adding on, I think this article would be very helpful. The general approach is to push the HTTPS and Authentication responsibilities onto Nginx, then run eclipse-theia behind Nginx.
You mentioned you are using CentOS, but I think the walkthrough should still work since you're using Docker to containerize everything (the walkthrough uses ubuntu). These are also all pretty standard tools.
Tools needed:
- Docker, For orchestrating the deployment
- Lets Encrypt, For generating self-signed certificate required for HTTPS connection
- Nginx for handling requests
justinang1
on 11 Feb 2020
Actually, I have had zero success getting Docker to run, which is a royal pain as a lot of applications seem to rely on it. I'm still wrapping my head around what it actually does. And I'm running into a brick wall just trying to get "run hello-world" to do whatever it's supposed to do. I can't seem to get the docker deamon started? I'm googling pretty hard right now trying to figure it out but I'm coming up short...
neocamel
on 11 Feb 2020
While this is outside the scope of eclipse-theia, here are some links to get started:
Docker allows you to standardize your environment. This is useful when attempting to run the same programs on different hardware or operating systems.
justinang1
on 11 Feb 2020
We should do some Q&A wiki page on this topic, so many good articles already.
akosyakov
on 11 Feb 2020
We should do some Q&A wiki page on this topic, so many good articles already.
Would be willing to help with that.
justinang1
on 12 Feb 2020
I'm down to contribute however I can to that discussion. I've needed to take a few steps back in my workflow arrangement, as I was advised that inMotion VPS does not allow Docker, which caused my server to crash. I'm going to move my development work to a Pi running CentOS and LAMP, which I'm trying to set up now. Hopefully I can get docker installed on the Pi, then can move forward with integrating Theia into my workflow. I'll keep an eye on this thread.
neocamel
on 12 Feb 2020
The easiest to configure if you simply want to lock the entire Theia giving access to only a few people, and your domain happens to be on Cloudflare, is to use Cloudflare Access. It lets you lock out the entire domain, subdomain or paths and you can set it up to only use specific users via email or even via Github login. It is free for the first 5 users. Again this works if you just for simply want to lock the page with authentication, no complicated stuff here.
uniibu
on 6 Mar 2020
It would be helpful If someone can sum it up as a website page here: https://github.com/theia-ide/theia-website
akosyakov
on 8 Apr 2020
Related issues
jeanlucburot
路
3Comments
kittaakos
路
3Comments
akosyakov
路
3Comments
jankeromnes
路
3Comments
fangnx
路
3Comments
Most helpful comment
While this is outside the scope of eclipse-theia, here are some links to get started:
Docker allows you to standardize your environment. This is useful when attempting to run the same programs on different hardware or operating systems.